enhancement update in Fedora 25 for ca-certificates

Status: stable 2 years ago

This update supports a new PKCS#11 attribute CKA_NSS_MOZILLA_CA_POLICY. The attribute has been defined by NSS version 3.30. The attribute is expected to be set to true for CA certificates that have been added as part of the Mozilla CA Policy process.

The enhancement is required for compatibility with the future Firefox 54 release, which will query this attribute when accessing root CA certificates from the loaded CA trust module. On Fedora, Firefox is configured to access the p11-kit-trust module, instead of the NSS CA trust module nssckbi. This change to the ca-certificates package will make the attribute available to p11-kit-trust and Firefox.

Support for this new attribute requires p11-kit-trust version and build 0.23.2-3, which contains the relevant backported functionality from upstream version 0.23.5.

To enable the addition of this attribute, the ca-certificates package has been changed to use p11-kit-trust's flexible p11-kit-object-v1 file format for the internal packaging of the CA certificates list.

The update-ca-trust command has been changed to add comments to extracted PEM format files.

The changes in this package version shouldn't affect any existing functionality or trust.

Comments 17

This update has been submitted for testing by kengert.

kengert edited this update.

works for me the whole day (firefox, thunderbird....)

karma: +1

This update has been pushed to testing.

Works here on x86_64.

karma: +1 critpath: +1

works for me

karma: +1
karma: +1 critpath: +1

no regressions noted

karma: +1

works for me

karma: +1

No regressions here

karma: +1

works for me

karma: +1

https in firefox works fine

karma: +1

This update has been submitted for stable by kengert.

This update has been unpushed.

This update has been submitted for stable by kengert.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Autopush (time)
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago
modified 2 years ago

Related Bugs 2

00 #1418739 ca-certificates must set the nss-mozilla-ca-policy pkcs#11 attribute for Mozilla CAs
00 #1418741 Change the CA + trust input format given from ca-certificates to p11-kit-trust

Automated Test Results